77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f

General

Target

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
Size

309KB
MD5

cdd0ddbd896f51d1b1bf6623e0a0210d
SHA1

83bc6e909e11f557dc4505a8f99ed9d72ba18c6b
SHA256

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f
SHA512

66c5f196297ee8fcd31bb3ad4594828f052053e83dd09c03372cade69f62cc511c857aec204ae9fe60b4a80733053a3819d83c262d79d391e79b8980870d4e40

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

description	pid	process	target process
PID 4328 set thread context of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

pid	process
3260	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
3260	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2480
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

pid process

3260 77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

pid	process
2480

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

description	pid	process	target process
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
PID 4328 wrote to memory of 3260	4328	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe	77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe

C:\Users\Admin\AppData\Local\Temp\77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
"C:\Users\Admin\AppData\Local\Temp\77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe
"C:\Users\Admin\AppData\Local\Temp\77943b0beb1c505731e3d3f08151b874924c7ac2a533fdbe335f8a36e05ab53f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3260-130-0x0000000000000000-mapping.dmp

Download
memory/3260-131-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4328-132-0x0000000000CCD000-0x0000000000CDD000-memory.dmp

Filesize
64KB

Download
memory/4328-133-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads